From: Greg Hudson Date: Tue, 21 Feb 2012 18:57:44 +0000 (+0000) Subject: kvno ASN.1 encoding interop with Windows RODCs X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=7558fb3af9f9fdfb8195333c11a70ab7b354f82c;p=krb5.git kvno ASN.1 encoding interop with Windows RODCs RFC 4120 defines the EncryptedData kvno field as an integer in the range of unsigned 32-bit numbers. Windows encodes and decodes the field as a signed 32-bit integer. Historically we do the same in our encoder in 1.6 and prior, and in our decoder through 1.10. (Actually, our decoder through 1.10 decoded the value as a long and then cast the result to unsigned int, so it would accept positive values >= 2^31 on 64-bit platforms but not on 32-bit platforms.) kvno values that large (or negative) are only likely to appear in the context of Windows read-only domain controllers. So do what Windows does instead of what RFC 4120 says. ticket: 7092 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25703 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c index 5ed17528b..2efbf7cd2 100644 --- a/src/lib/krb5/asn.1/asn1_k_encode.c +++ b/src/lib/krb5/asn.1/asn1_k_encode.c @@ -173,8 +173,16 @@ DEFNULLTERMSEQOFTYPE(seqof_host_addresses, address_ptr); DEFPTRTYPE(ptr_seqof_host_addresses, seqof_host_addresses); DEFOPTIONALEMPTYTYPE(opt_ptr_seqof_host_addresses, ptr_seqof_host_addresses); +/* + * krb5_kvno is defined as unsigned int, but historically (MIT krb5 through + * 1.6, and through 1.10 in the decoder) we treat it as signed, in violation of + * RFC 4120. kvno values large enough to be problematic are only likely to be + * seen with Windows read-only domain controllers, which overload the high + * 16-bits of kvno values for krbtgt principals. Since Windows encodes kvnos + * as signed 32-bit values, for interoperability it's best if we do the same. + */ DEFFIELD(enc_data_0, krb5_enc_data, enctype, 0, int32); -DEFFIELD(enc_data_1, krb5_enc_data, kvno, 1, opt_uint); +DEFFIELD(enc_data_1, krb5_enc_data, kvno, 1, opt_int); DEFFIELD(enc_data_2, krb5_enc_data, ciphertext, 2, ostring_data); static const struct atype_info *encrypted_data_fields[] = { &k5_atype_enc_data_0, &k5_atype_enc_data_1, &k5_atype_enc_data_2